runtime/lava: Add default way to get API token if not set #2258
Conversation
nuclearcat
force-pushed
the
add-api-token
branch
2 times, most recently
from
2eb6474 to
5fbbf35
Compare
|
But, why would the API token be retrieved from YAML anyway? It's meant to be loaded from the TOML secrets. That's already implemented in |
| @@ -180,6 +181,16 @@ def get_params(self, job, api_config=None): | |||
| return params | |||
|
|
|||
| def generate(self, job, params): | |||
| # if LAVA runtime dont have set notify.callback.token | |||
There was a problem hiding this comment.
And, why set some default callback attributes? The idea is that if there's no callback or "notify" attribute then the job just doesn't generate a callback when it completes. Loading API tokens from the environment is not going to work here. Also, the tokens are stored in the LAVA database anyway.
Actually, I see this is for callbacks. The API tokens are stored in the LAVA database, they don't need to be known when generating the job. |
nuclearcat
force-pushed
the
add-api-token
branch
2 times, most recently
from
8770b78 to
1bfcdb7
Compare
I think you are confusing API token used for callbacks and LAVA token. LAVA token is fine, but i'm having issues with callback token which is equal to API/pipeline API token and set in LAVA job template separately. |
|
That's what I mean, the API token is stored in the LAVA database and used in the callback request sent by LAVA. I don't see what you're trying to fix here. |
|
It's fixed now: LAVA callbacks was not working.
token literally set to "kernelci-api-token-staging" It will add value in yaml: notify.callback.token and send to LAVA. This means it will be string "kernelci-api-token-staging" here. 3)LAVA after completing job will request callback URL with header "Authentication: kernelci-api-token-staging". Now i am using 16 chars truncated API_TOKEN as callback token and it is working. |
|
OK, the problem here is that there isn't a callback token set up as expected in the LAVA database. So instead of inserting the API token it just puts the name by default. The API tokens are never stored in YAML, it's just a LAVA "feature" which should probably be changed. Maybe with some private jobs it's OK to have the token directly in the job definition, but that's never the case for KernelCI. |
As pipeline.yaml is not considered "secure" file, we might not set API token in it, then retrieve it from os environment. Also because LAVA have limit on token length - truncate it to 16 characters. Signed-off-by: Denys Fedoryshchenko <[email protected]>
nuclearcat
force-pushed
the
add-api-token
branch
from
1bfcdb7 to
44b6b4a
Compare
True - I verified this in both staging and production LAVA instances: there is no I had a look at the docs which could clarify this process a bit: https://kernelci.org/docs/labs/lava/#steps-to-add-a-lava-lab-to-kernelciorg @nuclearcat do you think that extending them with e.g. flow diagram (who generates tokens, how to store them) would make this process less error prone? To address another issue that did not come up in this thread but was raised during various discussions: auth token value can be set arbitrarily through admin panel:
To sum up - I would propose three actions:
After these tasks are complete this PR could be closed (or converted to the issue earlier). (1) and (2) can be assigned to me, (3) to the extent I'm allowed with my current access privileges to KCI instances. |
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
|
OK after a lot of discussion around the issue, it turns out the actual problem is that JWT tokens are now always too long with the new user management system. Previously, they could work with short user names which is why it was set to |
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
|
Thanks, as follow up: kernelci/kernelci-pipeline#381 |
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: kernelci#377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
This is follow up on discussion of PR: #377 kernelci/kernelci-core#2258 Now workflow of enabling LAVA lab is simplified: LAVA lab need to enable one or two tokens (two a bit more secure, as one will be used to submit job, another for callback), and provide name(description) of one of tokens to specify in pipeline.yaml. Also in toml file we need to specify callback token value. Signed-off-by: Denys Fedoryshchenko <[email protected]>
As pipeline.yaml is not considered "secure" file, we might not set API token in it, then retrieve it from os environment.